OK, I’ve fiddled with my setup and I think it should work, but these guys still get on my nerves because I don’t understand why they need to download my entire site, ten thousand selectors and counting. And so I learned about blocking IP addresses using `iptables` and `ipset`.
I got all the info from this blog post: Block IP addresses in Linux with iptables.
Block IP addresses in Linux with iptables
Here’s the gist of it:
# Install apt-get install ipset # create blacklist once ipset create blacklist hash:ip hashsize 4096 # set up iptables rules iptables -I INPUT -m set --match-set blacklist src -j DROP iptables -I FORWARD -m set --match-set blacklist src -j DROP # add a specific IP address ipset add blacklist 192.168.1.100 # confirm the blacklist contains the IP address ipset list blacklist # show firewall setup iptables -L # unblock IP address ipset del blacklist 192.168.1.100
And for IPv6, *same same but different*.
ipset create blacklist6 hash:net hashsize 4096 family inet6 ip6tables -I INPUT -m set --match-set blacklist6 src -j DROP ip6tables -I FORWARD -m set --match-set blacklist6 src -j DROP ipset add blacklist6 ... ipset list blacklist6 ip6tables -L
To save and restore iptables rules, use the package `iptables-persistent`. We don’t need this, for now.
This seems to work.
#Gopher #Russia #Administration
(Please contact me if you want to remove your comment.)
⁂
Now that I am also using fail2ban, here’s more:
# iptables --list f2b-alex-apache -N f2b-alex-apache -A f2b-alex-apache -s XXX -j REJECT --reject-with icmp-port-unreachable -A f2b-alex-apache -j RETURN
To remove XXX means to repeat the command but use `-D` instead of `-A`:
# iptables -D f2b-alex-apache -s XXX -j REJECT --reject-with icmp-port-unreachable
Verify that it is gone:
# iptables --list-rules f2b-alex-apache -N f2b-alex-apache -A f2b-alex-apache -j RETURN
– Alex Schroeder 2018-10-07 19:07 UTC